The vast majority of cloud providers are not yet prepared to meet the requirements of the new EU
General Data Protection Regulation that will come into effect next year to replace the EU Data
Protection Directive adopted in 1995, research has revealed.

Only one out of 100 cloud service providers are ready for the new data protection directive that
aims to modernise the older directive to suit the needs of the internet and cloud era.

The new directive, which could be passed in 2014 for implementation in 2015, requires data
controllers (enterprises that own the data) and data processors (such as cloud providers and
datacentre hosting companies) to share the liability for data breaches and violations of the
law.

The proposed
regulation will apply to European businesses that process personal data and businesses outside
the EU that monitor EU citizens or process personal data obtained from offering goods or services
to EU citizens.

But the study of more than 7,000 cloud services by security provider Skyhigh Networks revealed
that suppliers have significant issues around new regulatory requirements such as data residency,
data breach detection and notification, encryption and data deletion policies (the
right to be forgotten).

The hefty fines will make data protection a boardroom issue and
will require companies to carefully review what they need to do to comply

“It’s staggering how few cloud providers are prepared for the new EU regulations but,
fortunately, there’s still time for providers to get into shape. This means addressing a number of
complex issues now, such as the right to be forgotten, as well as implementing data protection
policies that meet these new standards,” said Charlie Howe, European director for Skyhigh
Networks.

The latest
directive is aimed at strengthening consumer and business trust in Europe’s digital
economy.

“For cloud providers this will inevitably require additional resources and expenditures, but
it’s a snip given the proposed penalties for violating the new laws, which can be up to 5% of a
company’s annual revenue or up to €100m,” he warned.

This is in stark contrast with the 1995 Data Protection Directive, which offers no guidance on
penalties. The hefty fines will make data protection a boardroom issue and will require companies
to carefully review what they need to do to comply, according
to some experts.

The proposed law governs how organisations treat the privacy of personal data and has
far-reaching implications, experts warned.

The right to be forgotten – a massive headache

One of the most well-publicised and controversial amendments to the new regulation is the right to
be forgotten – where individuals have the civil right to request that personal information be
removed from the internet. “It is a complex issue but, given the media interest surrounding it, one
that’s unlikely to blindside cloud providers,” Howe said.

“Still, when you consider that the average organisation uses 738 cloud services, complying with
this requirement presents some unique challenges. A big problem is that 63% of cloud providers
maintain data indefinitely or have no provisions for data retention in their terms and conditions,”
he added.

On top of this, another 23% of cloud providers maintain the right to share data with another
third party in their terms and conditions, making it even more difficult to ensure all copies are
deleted, the study found.

“It’s fair to say that the right to be forgotten could turn out to be a massive headache for
many organisations – cloud service providers themselves and those companies using these services –
it’s not just an issue for Google,” Howe said.

The study also revealed that only 11 countriessatisfy EU privacy requirements around
data residency.

The regulation requires that enterprises do not store in or transfer data through countries
outside the European Economic Area that do not have equivalently strong data protection
standards.

The data residency requirements also apply to cloud providers with datacentres around the world,
which in the normal course of operation may transfer and store data in countries that do not meet
European privacy rules.

The US, where the majority (67%) of all cloud datacentres are headquartered, is not among these
11 countries.

Data residency will be a significant issue for cloud services when the new regulations come into
force – especially as only 8.9% of US providers have the Safe Harbor Certification, which
provides exemption to these regulations, according to Skyhigh Networks.

“A draft version of the new regulation would require organisations to notify EU regulatory
authorities within 24 hours of a data breach, even if the breach occurs in a third-party cloud
service. The problem arises from the fact that many cloud providers expressly put the
responsibility on the customer to detect breaches and this can be an impossible task,” said
Howe.

“Some existing regulations, including the UK General Data Protection Regulation and France Data
Protection Act, allow organisations to circumvent breach notification requirements if data is made
inaccessible to third parties using encryption. Unfortunately, only 1.2% of cloud providers today
provide the tenant-managed encryption keys required to do so,” he added.

Email Alerts

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Google is the latest of the tech giants hiring Wall Street hotshots. The CIO lesson? Partner with your CFO if you want to get ahead. Also in Searchlight: Facebook turns Messenger into an ecosystem; Twitter faces a gender bias lawsuit.